DNSChanger servers shut down, Internet survives

By William Jackson

Jul 09, 2012

The scheduled shutdown of DNS servers established by the FBI as a safety net for computers infected with DNSChanger malware took place July 9 without creating major problems for users or their Internet service providers.

According to the latest figures from the FBI, about 42,000 unique IP addresses from the United States, and about 211,000 unique addresses worldwide, still were connecting with the servers as of July 8. Because the same address could be used by more than one device, the actual number of users affected by the shutdown could be larger.

Although the numbers are large, they represent a sharp drop from the millions of computers believed to have been infected when the criminal ring responsible for the malware was broken up by U.S. and European law enforcement in November. As recently as late June, more than 300,000 unique IP addresses still were communicating with the temporary servers worldwide, about 70,000 of them in the United States.

At the time operation was shut down, DNSChanger had infected computers
at 27 federal agencies, but most of those infections were cleaned up
before the first shut-off deadline in March.

Those users still infected with the virus are not able to connect with Internet destinations once the DNS servers they are being directed to have been shut down. The impact has been lessened, however, by service provides that are redirecting DNS queries internally and directing users to pages offering help or other options for cleaning up the infections.

“We’ve not seen anything significant as of yet,” said Verizon spokesman Bob Elek hours after the servers were shut down. As many as 10,000 Verizon customers were believed to still have been infected. Those customers are being put into to a “soft-walled garden” when they go online, where landing page will tell them of the problem and offer options for fixing it. They can get instructions for doing it themselves, can get 30 days of free tech support service, or can be referred to third party support. This will continue through July.

Discovered in 2006, DNSChanger is malware that allowed criminals to hijack Web traffic by directing DNS requests to their own malicious servers for resolution. The FBI helped to shut down the criminal operation in November. To keep infected users from going dark, it obtained a court order allowing Internet Systems Consortium to operate clean DNS servers using the gang’s IP addresses for 120 days. This was extended to July 9 to give more time to clean up the infections. The servers went offline at 12:01 a.m.

Although some news accounts warned of a massive shutdown of the Internet, the impact is limited primarily to scattered individuals rather than to any large groups.

“As most informed security folks expected, the possibility of a massive, wide-scale shutdown of Internet service predicted in some news outlets due to DNSChanger malware did not materialize,” said Dan Brown, director of security research at the security company Bit9. “It is likely that some companies will be affected, but many won’t report it if they are.”

Brown also said that the redirection of DNS queries by DNSChanger is only one part of its malicious activity. The malware also can disable antivirus tools and the automatic updates used to patch software security problems, leaving infected machines vulnerable to future exploits.

Even if Internet connectivity is not disrupted, “companies should monitor their networks for DNS traffic going to the expected IP addresses and thoroughly investigate or reimage affected systems that they find,” he said.